Very Computer

Hello,

Users who are only in the NIS+ passwd table, who have expired passwords,
cannot login once their password has expired, because /usr/bin/login can
only execute /usr/bin/passwd, and it does not know about NIS+ users.

How can I fix this, other than turning off password expiration?

Regards,

David

--
"That man has a rare gift for obfuscation." -- ST:DS9

(This has been posted before - maybe it should be in the FAQ? Anyway,
I got the original script from James Litchfield - SunSoft Western

#!/bin/sh
#
# Fix for passwd's inability to deal with naming services. Based on an
# an idea of Chuck McManis. Expects the original passwd program to live in
# /usr/bin/passwd.orig (with its original permissions). Uses the "who" command
# instead of the BSD whoami command since you're not guaranteed that the BSD source
# compatibility software was installed.
#
# That is a space (040) between the double quotes in the cut command.
#
if [ $# -eq 0 ]
then
    UID=`who am i | cut -f 1 -d " "`
elif [ $# -eq 1 ]
then
    UID=$1
else
    echo "passwd: one username at a time please"
    exit 1
fi
DONE=0
NS=`egrep passwd: /etc/nsswitch.conf`
for name in $NS
do
    case "$name" in
    files)
        IPW=`egrep $UID /etc/passwd`
        if [ -n "$IPW" ]
        then
            /usr/bin/passwd.orig $UID
            DONE=1
            break
        fi
        ;;
    nis)
        IYP=`ypmatch $UID passwd 2> /dev/null`
        if [ -n "$IYP" ]
        then
            /usr/bin/yppasswd $UID
            DONE=1
            break
        fi
        ;;
    nisplus)
# /local/etc/nisdomains is just a list of NIS+ domains for which
# we have administrative responsibility.
        for DOM in `cat /local/etc/nisdomains`
        do
          INS=`/usr/bin/nismatch  name=$UID passwd.org_dir.$DOM`
          if [ -n $INS ]
          then
            echo "You need to authenticate yourself to the NIS+ server for $DOM"
            /usr/bin/keylogin
            /usr/bin/nispasswd -D $DOM $UID
            DONE=1
            break
          fi
        done
        ;;
    esac
done
if [ $DONE -eq 0 ]
then
    echo "Username $UID not found in local files or naming service"
    exit 2
fi
exit 0

This may work fine, but I definately do not recommend it. If you change
the root password and forget to run the passwd.orig you will almost
certainly trash root's private key and corrupt NIS+ for everyone, as
I found out myself.

Wait for Solaris 2.5. It will have support though "login" to make
nispasswd run instead of passwd if the user exists in the NIS+ tables.
I imagine a low level call built into "login" will achieve this.

--
  \        =                                                        ,-_|\

  /\/(_)\|/|\     Systems Administrator  phone:  +61 9 2221733     *_,-._/
                  Police                 Perth, Western Australia       v

: Hello,

: Users who are only in the NIS+ passwd table, who have expired passwords,
: cannot login once their password has expired, because /usr/bin/login can
: only execute /usr/bin/passwd, and it does not know about NIS+ users.

: How can I fix this, other than turning off password expiration?

there is bugfix. I don't remember the number, but You can look to
sunsolve[12].sun.com:/pub/patches/Patchlist2.[34]*

--
Toomas Soome

There is *NO* bug fix.

There is a hack/patch to get around the problem.  It in turn has other PROBLEMS.
The README has all the details.  I would recommend turning Password Aging off.

The correct solution is in Solaris 2.5 (and yes I know this isn't out yet).

=wpm    William P. Malloy               SunSoft         Networking

: This may work fine, but I definately do not recommend it. If you change
: the root password and forget to run the passwd.orig you will almost
: certainly trash root's private key and corrupt NIS+ for everyone, as
: I found out myself.

*.  You should have just placed /usr/local/bin in the path for
users and put passwd in there as a symlink to nispasswd.

Of course you should never have /usr/local/bin in your root's path.
:)

: Wait for Solaris 2.5. It will have support though "login" to make
: nispasswd run instead of passwd if the user exists in the NIS+ tables.
: I imagine a low level call built into "login" will achieve this.

Actually I am hoping that they just go ahead and say "hey, this should
just say in" with the point patch.  This is a great hook we can use to
modify how and which (we have a completely hacked version to deal with
multiple domains, etc.) nispasswd gets run. :)

--
/-------------------\  Charles "*-Buddha" Stephens
| HELLO, my name is |  UNIX Systems Administrator
|-------------------|  Network Systems/Open Systems Group,

| Charles Stephens  |  Emory University, Atlanta, Georgia, USA
|                   |  "You shall soon achieve perfection."  -Fortune Cookie
\-------------------/     http://www.veryComputer.com/~cfs